Closed Bug 323022 Opened 19 years ago Closed 19 years ago

Crash [@ nsSpaceManager::GetTranslation() line 196] with null SpaceManager on SVG documents

Categories

(Core :: Layout: Block and Inline, defect)

Product:
Core
Component:
Layout: Block and Inline
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 310436

People

(Reporter: bc, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dupe 310436] testcases from bug 306663)

Crash Data

Attachments

(2 files)

stacks+assertions
(deleted), text/plain
Details
reduced testcase (crashes at nsSpaceManager::GetTranslation)
(deleted), image/svg+xml
Details
Attached file stacks+assertions (deleted) —
No description provided.
doesn't look exploitable, lots of null pointers.
Whiteboard: [sg:nse]
Crashes in nsSpaceManager::GetTranslation, called by nsBlockBandData::Init. In a release build, the Mac OS X crash report tool shows nsBlockBandData::Init at the top, probably because nsSpaceManager::GetTranslation gets inlined.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: testcase
Whiteboard: [sg:nse] → [sg:nse?]
Attachment #208344 - Attachment description: reduced testcase → reduced testcase (crashes at nsSpaceManager::GetTranslation)
Attached file (deleted) —
0 PL_DHashTableFinish + 168 1 nsPropertyTable::GetPropertyInternal(void const*, unsigned, nsIAtom*, int, unsigned*) + 80 2 nsBlockFrame::GetFirstChild(nsIAtom*) const + 128 3 nsCSSFrameConstructor::FindFrameWithContent(nsFrameManager*, nsIFrame*, nsIContent*, nsIContent*, nsFindFrameHint*) + 244 4 nsCSSFrameConstructor::FindFrameWithContent(nsFrameManager*, nsIFrame*, nsIContent*, nsIContent*, nsFindFrameHint*) + 396
Attached file (deleted) —
0 0 + 38572876 1 nsCSSFrameConstructor::ReinsertContent(nsIContent*, nsIContent*) + 676 2 nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, int, int) + 432 3 nsCSSFrameConstructor::ReinsertContent(nsIContent*, nsIContent*) + 80 4 nsCSSFrameConstructor::WipeContainingBlock(nsFrameConstructorState&, nsIFrame*, nsIFrame*, nsIFrame*) + 468 5 nsCSSFrameConstructor::ContentAppended(nsIContent*, int) + 2380
Yes. None of the attachments here crash in a debug build with that patch applied.
Depends on: 310436
And fixed in opt builds from atlantia (yesterday's nightly crashes; a very recent hourly doesn't), now that the patch in bug 310436 has been checked in :) Should this be marked as fixed, wfm, or dup?
*** This bug has been marked as a duplicate of 310436 ***
Status: NEW → RESOLVED
Closed: 19 years ago
No longer depends on: 310436
Resolution: --- → DUPLICATE
Whiteboard: [sg:nse?] → [sg:dupe 310436] keep confidential, reveals bug 306663
Attachment #208346 - Attachment is private: true
Attachment #208347 - Attachment is private: true
Whiteboard: [sg:dupe 310436] keep confidential, reveals bug 306663 → [sg:dupe 310436] testcases from bug 306663
Group: security
Crash Signature: [@ nsSpaceManager::GetTranslation() line 196]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: